Re: [PATCH v1 1/3] Bluetooth: MGMT: Fix possible deadlock in mgmt_remove_adv_monitor_complete

Paul Menzel <pmenzel@xxxxxxxxxxxxx> · Sat, 30 Aug 2025 08:03:19 +0200

Dear Luiz,


Thank you for the patch.

Am 29.08.25 um 21:21 schrieb Luiz Augusto von Dentz:
From: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>

This fixes the following deadlock:

--------------------------------------------
syz.4.423/7568 is trying to acquire lock:
ffff888068c48078 (&hdev->lock){+.+.}-{4:4}, at: mgmt_remove_adv_monitor_complete+0x9e/0x2e0 net/bluetooth/mgmt.c:5524

but task is already holding lock:
ffff888068c48078 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x3ab/0x11a0 net/bluetooth/hci_sync.c:5200

other info that might help us debug this:
  Possible unsafe locking scenario:

        CPU0
        ----
   lock(&hdev->lock);
   lock(&hdev->lock);

  *** DEADLOCK ***

  May be due to missing lock nesting notation

3 locks held by syz.4.423/7568:
  #0: ffff888068c48d80 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_do_close+0x26/0x90 net/bluetooth/hci_core.c:480
  #1: ffff888068c48078 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x3ab/0x11a0 net/bluetooth/hci_sync.c:5200
  #2: ffff888068c48690 (&hdev->cmd_sync_work_lock){+.+.}-{4:4}, at: hci_cmd_sync_dequeue+0x50/0x1f0 net/bluetooth/hci_sync.c:887

Fixes: Fixes: b747a83690c8 ("Bluetooth: hci_sync: Refactor add Adv Monitor")
Closes: https://syzkaller.appspot.com/bug?extid=e8651419c44dbc2b8768
Reported-by: syzbot+e8651419c44dbc2b8768@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
---
  net/bluetooth/mgmt.c | 8 ++++++++
  1 file changed, 8 insertions(+)

diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 989321b1ea27..9c1ee6ae7c66 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -5189,6 +5189,14 @@ static void mgmt_add_adv_patterns_monitor_complete(struct hci_dev *hdev,
  	struct mgmt_pending_cmd *cmd = data;
  	struct adv_monitor *monitor = cmd->user_data;
  
+	/* This is likely the result of hdev being closed and mgmt_index_removed
+	 * is attempting to clean up any pending command so
+	 * hci_adv_monitors_clear is about to be called which will take care of
+	 * freeing the adv_monitor instances.
+	 */
+	if (status == -ECANCELED)
+		return;
+
  	hci_dev_lock(hdev);
  
  	rp.monitor_handle = cpu_to_le16(monitor->handle);

Reviewed-by: Paul Menzel <pmenzel@xxxxxxxxxxxxx>


Kind regards,

Paul







